The cache table procedures and views used for performance enhancements for dynamic SQL must be protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251646	IDMS-DB-000820	SV-251646r807805_rule		Medium

Description
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms.

Description

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms.

STIG	Date
CA IDMS Security Technical Implementation Guide	2021-11-10

Details

Check Text ( C-55081r807803_chk )
For CA IDMS CV, issue "SELECT * FROM SYSCA.DSCCACHEOPT". If rows are returned, caching is on. For local, if no statement, SQL_CACHE_ENTRIES=0 exists in the SYSIDMS specification, caching is on. Examine RHDCSRTT in security domain for security on table procedures and views of DSCCACHE table; those supplied at installation (SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) or those created by organization. If no security is found for these table procedures and views, this is a finding.

Check Text ( C-55081r807803_chk )

For CA IDMS CV, issue "SELECT * FROM SYSCA.DSCCACHEOPT". If rows are returned, caching is on.

For local, if no statement, SQL_CACHE_ENTRIES=0 exists in the SYSIDMS specification, caching is on.

Examine RHDCSRTT in security domain for security on table procedures and views of DSCCACHE table; those supplied at installation (SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) or those created by organization.

If no security is found for these table procedures and views, this is a finding.

Fix Text (F-55035r807804_fix)
Either turn off use of SQL cache or secure SQL cache tables. Turn off SQL cache use in local using SYSIDMS parameter SQL_CACHE_ENTRIES=0. Turn off SQL cache use in IDMS CV and modify sysgen with statement DELETE SQL CACHE. To secure SQL cache tables add RESTYPE DB entry and RESTYPE TABL occurrences for SQL cache tables (table procedures and views) SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) and any other views of SYSCA.DSCCACHE created by the organization. For example: #SECRTT TYPE=ENTRY,RESTYPE=DB,EXTCLS='CA@IDMS', EXTNAME=(RESTYPE,ENVI,RESNAME),SECBY=OFF #SECRTT TYPE=ENTRY,RESTYPE=TABL,EXTCLS='CA@IDMS', EXTNAME=(ENVI,RESTYPE,SCHEMA,RESNAME),SECBY=EXTERNAL ... (other DB-covered ENTRYs e.g., NRU, DACC. etc.) #SECRTT TYPE=OCCUR,RESNAME='',RESTYPE=DB,SECBY=EXTERNAL Secure SQL cache tables in external security manager (ESM) using the corresponding chosen external name (e.g., PROD.TABL.SYSCA.DSCCACHE).

Fix Text (F-55035r807804_fix)

Either turn off use of SQL cache or secure SQL cache tables.

Turn off SQL cache use in local using SYSIDMS parameter SQL_CACHE_ENTRIES=0. Turn off SQL cache use in IDMS CV and modify sysgen with statement DELETE SQL CACHE.

To secure SQL cache tables add RESTYPE DB entry and RESTYPE TABL occurrences for SQL cache tables (table procedures and views) SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) and any other views of SYSCA.DSCCACHE created by the organization.

For example:
#SECRTT TYPE=ENTRY,RESTYPE=DB,EXTCLS='CA@IDMS',
EXTNAME=(RESTYPE,ENVI,RESNAME),SECBY=OFF

#SECRTT TYPE=ENTRY,RESTYPE=TABL,EXTCLS='CA@IDMS',
EXTNAME=(ENVI,RESTYPE,SCHEMA,RESNAME),SECBY=EXTERNAL
... (other DB-covered ENTRYs e.g., NRU, DACC. etc.)
#SECRTT TYPE=OCCUR,RESNAME='',RESTYPE=DB,SECBY=EXTERNAL

Secure SQL cache tables in external security manager (ESM) using the corresponding chosen external name (e.g., PROD.TABL.SYSCA.DSCCACHE).